IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Steve Gibson: "WMF flaw was a deliberate back door".
He says he's not through with the analysis, and he's done some dumb stuff in the past, but anyone who can write SpinRite knows program right down to the hardware level and ShieldsUp shows he knows something about security, so it's worth paying attention to until proven otherwise.

If he is proven correct this will be one very heavy blow to Microsoft and/or to it's programming skills and internal controls. If there's one deliberate back door, there's probably more.

He says he's not done yet so his results are preliminary. More info and link to his podcast at [link|http://www.groklaw.net/article.php?story=20060113111825193| Grocklaw]
[link|http://www.aaxnet.com|AAx]
New He needs to adjust his tinfoil IMHO
--
Chris Altmann
New He's got a pretty good case
Listened to the show...and he seems to have a pretty valid series of justifications for his thinking.
If you push something hard enough, it will fall over. Fudd's First Law of Opposition

[link|mailto:bepatient@aol.com|BePatient]
New Yup
Good pod-cast. He LOVES MS. It is his life, his career, his every moment (or so it seems). And now he can no longer trust them (I guess he's a bit to the game in that area) and it really shook him up.

New Is there more in it that what was in the transcript?
Because I read that and it sounds like he doesn't know what he really "found" yet.

FWIW MS doesn't seem to think there's much to it:

[link|http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx|http://blogs.technet...01/13/417431.aspx]

but that's what they want you to think.
--
Chris Altmann
New Where'd you find a transcript?
Since I don't have an iPod, a podcast is only slightly less useless than a toothache.
jb4
shrub●bish (Am., from shrub + rubbish, after the derisive name for America's 43 president; 2003) n. 1. a form of nonsensical political doubletalk wherein the speaker attempts to defend the indefensible by lying, obfuscation, or otherwise misstating the facts; GIBBERISH. 2. any of a collection of utterances from America's putative 43rd president. cf. BULLSHIT

New On GRC
[link|http://www.grc.com/SecurityNow.htm#22|Here]'s a variety of formats.

Not a lot of meat there, though.

Cheers,
Scott.
New Podcast is just an MP3
===

Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
New A guy over at SysInternals is said to be . . .
. . reviewing this and will issue an opinion (nothing on the [link|http://www.sysinternals.com/|SysInternals Site] yet though).
[link|http://www.aaxnet.com|AAx]
New Sysinternals verdict: Not a back door
An insecure design from a more "innocent" time, overlooked by Microsoft's much vaunted security reviews.

[link|http://www.sysinternals.com/blog/2006/01/inside-wmf-backdoor.html|http://www.sysintern...wmf-backdoor.html]
--
Chris Altmann
New Just stupidity and incompetence, eh? SOP for M$.
New Seems very unlikely to me
If Gibson's understanding of the coding vunrability is right then I agree with him, it's very hard to think that it is a coding mistake. It strikes me as also very unlikely that somebody as MS intentionally left such a backdoor in Windows.

My guess would be that some programmer at MS put the backdoor in on his own because it was handy for debugging something he was working on or some such and it never got taken out.

Jay
New But thats just as bad
especially in light of the code freeze and review.

It should have been caught...but wasn't (which he covers).

I would not be hard-pressed to believe that there are several of these, there on purpose and that this one simply "got found out".

Sort of like easter eggs...only with a completely different purpose (NSA or otherwise).

If you push something hard enough, it will fall over. Fudd's First Law of Opposition

[link|mailto:bepatient@aol.com|BePatient]
New Do I unnderstand this right?
I heard it had to do with printing images, and the ability to abort a print job. Is that appropriate to put in the image code, and not the printing code?

I guess for really large files on older hardware it could take a while to finish converting it into a printable format and you'd want to be able to interrupt it. But wouldn't it make more sense <question class="from ignorance">to spawn a thread for the printing, and if you receive the interrupt from the printing system you just kill that one thread?<question>
===

Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
New did $MS understand multithreading when they wrote it?
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 50 years. meep
New It is part of that
I guess for really large files on older hardware it could take a while to finish converting it into a printable format and you'd want to be able to interrupt it. But wouldn't it make more sense <question class="from ignorance">to spawn a thread for the printing, and if you receive the interrupt from the printing system you just kill that one thread?<question>

The function in question is the one a program uses to tell Windows that you want that interrupt and where you want that notification send in your program.

But this function not for the conversion phase, it is for the actual printing part. This is to handle the case where the program is done with the printing entirly, but the physical pages are not done coming out of the printer. This lets the program get notification if the print job is stopped after the program is done with it.

As for why the function exists at all for WMF and display routines, it is because of Windows unified drawing subsystem. Windows, in theory, has one set of drawing functions that are used for all output contexts. WMF are really just a way of storing those drawing commands in a file, and thus WMFs have access to the same functions as display and printer routines.

Jay
New No.
He was using the explanation of printing VS viewing as a reason why MS MIGHT have screwed up and done it by accident.

If a file is going to the print subsystem, there is the possibility that the job will need to be aborted after the hand-off. So there is the ability to drop a callback into the file that will allow the print subsystem to check if it has been aborted. The callback is a 4 byte address in the submitting program's memory space, which hold a routine, and will tell the print subsystem whether the job should be aborted.

This is a different.

In this case, there is an illegal instruction in the wmf file that is VERY unlikely to be there by accident. It essential saya that the length of the data to follow is 1 byte, but since it is dealing in words is must be at LEAST 4 bytes. Combined that with the abort instruction. And then, rather than jump to a callback (which would be appropriate if this was a mistake, ie: cut-and-paste of the underlying code that make no sense for viewing rather than printing), start executing code contained within the image file.

This also means there is no return to current operation, since the stack is destroyed,
New I would say not quite as bad
Of course, I would also say it is the difference between criminal negligence and homicide. Either way it is a crime.

Jay
New Microsoft have an explanation.
And I believe it's credible.

[link|http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx|http://blogs.technet...01/13/417431.aspx]

To detail it a little bit, SetAbortProc functionality was a needed component in the graphics rendering environment for applications to register a callback to cancel printing, before even the WMF file format existed. ... Around 1990, WMF support was added to Windows 3.0 as a file-based set of drawing commands for GDI to consume. The SetAbortProc functionality, like all the other drawing commands supported by GDI, was ported over (all in assembly language at this point) by our developers to be recognized when called from a WMF. This was a different time in the security landscape and these metafile records were all completely trusted by the OS. To recap, when it was introduced, the SetAbortProc functionality served an important function.


He goes on to say that IE's WMF execution would not recognise the function class that SetAbortProc is in, but there are simple ways to trick it into running such a WMF file via another program anyway.

It looks like a case of a very old and still very useful low-level Windows function that is still around but the landscape around it has changed so much that it's causing problems.

Wade.
"Insert crowbar. Apply force."
Expand Edited by static Jan. 18, 2006, 01:02:33 AM EST
New Artful Dodging
That's not why Gibson thought it was a back door. The back door part comes in when you realize that the SetAbortProc functionality only works in a WMF when you explicitly (and incorrectly) set the content size to 1.

BTW, fix your link, please.
Regards,

-scott anderson

"Welcome to Rivendell, Mr. Anderson..."
New Link fixed.
Actually, I think MS and Gibson are talking past each other. This MS guy is asserting that Gibson is basically wrong to think of it as a backdoor. OTOH, Gibson seems to have found a genuine bug in the parsing of a WMF, if an incorrect length of 1 can trigger that behaviour. It'd be interesting to see his counter-response (he hasn't posted one yet).

Wade.
"Insert crowbar. Apply force."
New I like how that "blog" doesn't allow comments, too.
Regards,

-scott anderson

"Welcome to Rivendell, Mr. Anderson..."
New If it's brought forward from legacy stuff . . .
. . how come legacy Windows isn't vulnerable? The features enabling the vulnerability were introduced in Windows 2000 and XP.
[link|http://www.aaxnet.com|AAx]
New Dang. Beat me to it. That was my first thought.
bcnu,
Mikem

It would seem, therefore, that the three human impulses embodied in religion are fear, conceit, and hatred. The purpose of religion, one might say, is to give an air of respectibility to these passions. -- Bertrand Russell
New No default program for WMF = No "critical" vulnerability
--
Chris Altmann
New Interesting "analysis" / Guess-of-motives
Interesting too.. the local IGM general disgruntlement with Steve's flamboyant prose, in various of his pronouncements over the years - has its counterparts in that thread, too. Except that he also has his defenders. Who note that, re all that original poo-poohing re Steve's "raw sockets" tirade: SP2 closed the suckers, years (after hopefully, nobody noticing?) later.

As to his suspicions (as already noted here) how's come the fix in 9x got conveniently disregarded in >9.x? Nothing overtly paranoid in Steve's take: he, like the author of thread are *all* guessing re pgmr. motivations. (Nobody evah tells the Whole-truth about 'motivations' anyway) cf. "Baby it's your mind that attracts me... Really."

I notice that at least a couple responders are also aware of his assy lang. wizardry. Well, that stuff may be abstruse but its not unfathomable. Even moi had a brief immersion in the power/speed of assembly; I ackshully wrote a few bars of one riff. Certainly exercises the little grey cells, after about line 10. How many lines in SpinRite? (Though.. the exe remains still, astoundingly tiny, compared with the shortest C+slovenly masterpiece.)

I don't mind Steve's 'style' - his audience is not (typ) the anointed, anyway. But he certainly doesn't need to defend his techno competence: Let's see someone/anyone? do a clean-room clone of Spin Rite. I dare ya. Name the bet.

'Til then, I give him an A- for being among the few who continue to dig into projects that manifestly Won't make him any $$ ..and, even when they attack his fav OS (which does, indirectly "make him some $$".) And.. he Found this one; still he gets dissed: by the Anointed-who-never-looked. Cheap shots. Like at an AMA convention re gall-bladder speed-removal techniques.

Hands up: anyone here ever used his Shields Up?
(when you left your test suite in the Norton's saddle bags)

Grudgingly?


Steve: +3
Beast: -4

(-2 of that - for a new low in artlessness of "excuses" - rivalling the number of subsequent "reasons for Iraq invasion", besides those awful invisible WMDs.)


My three accumulator rotations, Left.

New Shields up is a waste of time.
Nmap is far better, and doesn't provide a web-based DDOS mechanism.

(Crappy IP address hashing in the algorithm used to generate the URL that initiates the scan means that I can use grc.com to hit other people's computers. Security-minded, my arse)

Steve should stick to hard disks.


Peter
[link|http://www.no2id.net/|Don't Let The Terrorists Win]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
New Elitist smugness
Steve realizes the attention span and priorities of the impatient/uninformed majority-caste.
For the unwashed, Shields Up is simple and a fuck of a lot better than nothing at all == the Usual situation.

Now tell me how many of the clueless are going to find out how to install and use WinPcap first, then remember wtf DOS was, then launch their nmap and go back to gaze again at that [link|http://www.insecure.org/nmap/install/inst-windows.html#fig-windows-cmdshell-exec| DOS readout] and interpret same. Ditto the "Win" version that still displays in DOS box. Stark as evah. woo.

Nicely accurate details - for those familiar with such details.
For the rest - it's Google time to find out [what a port is] exactly which ports should be open and why/when. And how to CLOSE them (by port #) in whatever serves as their 'firewall' du jour.

They won't find any 'interpretive assistance' at insecure.org [if they find That] but... it's Out There, innit.

Sure, Peter -- LOTS of folks can, will do this;
they Love increasing their l33T skillz - piece o'cake.
We should restrict such tests to only those who can savour all the details and find out how to interpret them. Right after they learn how to edit the Registry.

As to hijacking via his site -?- I guess so.
But then, lots of folks open e-mail attachments too.
So Steve should make it comprehensive, free, easy + bulletproof, or: it sux, izzat it?
Maybe he should require e-mail confirmation of your addy before you can push that button.



You're a crank, y'know?

(But then, I too have mixed feelings about people who've been 'using' these machines for 10 years and get all weepy-eyed on first discovering what the word 'backup' might mean. Fuck-em - maybe they SHOULD all have to use nmap and XP-Hovel-edition forever...)

Speaking of us unwashed -
Hey! I almost.. got a Beast-modem to function in Mepis! init-string Bingo, etc.
Hell, >IT< thought it was 'Active', except ...

when it came to ackshully processing those little AT thingies and deciding to dial something. Mepis-Hovel-edition?
(The Hayes Optima is fine - but that was too easy.) ;^>




Ed: Optima or nit-picky ackurasy

Expand Edited by Ashton Jan. 29, 2006, 06:10:34 AM EST
New Whatever, Ash.
ShieldsUP is a DDOS waiting to happen. (Or not waiting at all: who knows?)

(Its usage is also against the AUP of most ISPs - portscanning anything for any reason is usually verboten. You probably won't get caught, though.)

But hey, it's EASY, so therefore it's GOOD.

Gibson knows loads about hard disks and next to bugger-all about security.

I don't genuflect before his image.


Peter
[link|http://www.no2id.net/|Don't Let The Terrorists Win]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
New Sorry Ash, but Peter is right here.
New I acknowledge those valld criticisms.
But I also accept that - until some DDOS affair is definitely traced back to his site / or / ISPs more uniformly trap port scans.. (or at least sequential ones of this magnitude) -- it's still probably the closest thing to nmap that the clueless will actually use.

And it does, at least - flag the wide-open machines. The user may not grok much, but seeing a lot of red boxes -- just may prompt a few to ask someone to tell them the obvious.

Anyone who manages to close some of those ports, finally - is one less zombie. And isn't that what we mainly bitch about? the millions who don't even know that they don't know shit?


Then again.. likely it is merely Pearls before swine.
Maybe if grc closed its doors, there'd be no perceptible change in the zombie population. But since we can't measure that, anyway - -

     Steve Gibson: "WMF flaw was a deliberate back door". - (Andrew Grygus) - (30)
         He needs to adjust his tinfoil IMHO -NT - (altmann) - (9)
             He's got a pretty good case - (bepatient) - (8)
                 Yup - (broomberg)
                 Is there more in it that what was in the transcript? - (altmann) - (3)
                     Where'd you find a transcript? - (jb4) - (2)
                         On GRC - (Another Scott)
                         Podcast is just an MP3 -NT - (drewk)
                 A guy over at SysInternals is said to be . . . - (Andrew Grygus) - (2)
                     Sysinternals verdict: Not a back door - (altmann) - (1)
                         Just stupidity and incompetence, eh? SOP for M$. -NT - (n3jja)
         Seems very unlikely to me - (JayMehaffey) - (13)
             But thats just as bad - (bepatient) - (5)
                 Do I unnderstand this right? - (drewk) - (3)
                     did $MS understand multithreading when they wrote it? -NT - (boxley)
                     It is part of that - (JayMehaffey)
                     No. - (broomberg)
                 I would say not quite as bad - (JayMehaffey)
             Microsoft have an explanation. - (static) - (6)
                 Artful Dodging - (admin) - (1)
                     Link fixed. - (static)
                 I like how that "blog" doesn't allow comments, too. -NT - (admin)
                 If it's brought forward from legacy stuff . . . - (Andrew Grygus) - (2)
                     Dang. Beat me to it. That was my first thought. -NT - (mmoffitt) - (1)
                         No default program for WMF = No "critical" vulnerability -NT - (altmann)
         Interesting "analysis" / Guess-of-motives - (Ashton) - (5)
             Shields up is a waste of time. - (pwhysall) - (4)
                 Elitist smugness - (Ashton) - (3)
                     Whatever, Ash. - (pwhysall) - (2)
                         Sorry Ash, but Peter is right here. -NT - (inthane-chan)
                         I acknowledge those valld criticisms. - (Ashton)

An easy subject, at which very few excel!
358 ms